NIST CSF 2.0 introduces the new Govern function alongside the original Identify / Protect / Detect / Respond / Recover model. CyberFortify's network and application pen testing reports map findings to all six functions and the underlying NIST 800-53 control catalogue.
// 01 What NIST CSF 2.0 actually is
An outcome-based cybersecurity framework maintained by the US National Institute of Standards and Technology, organised around six top-level functions and twenty-three categories. The 2.0 revision (2024) added Govern as a sixth function and broadened scope explicitly beyond critical infrastructure to all organisations.
CSF 2.0 is voluntary in most contexts but operationally mandatory: it is referenced by federal contracting (FedRAMP, CMMC), regulator guidance, insurance underwriting and enterprise procurement.
The framework is deliberately outcome-driven rather than prescriptive. It does not tell you which firewall to buy. It tells you what capability you must demonstrate - for example, "detection processes are tested" (DE.DP-3 in 1.1, now reorganised in 2.0) - and leaves the implementation choice to the organisation. That is a feature, not a bug. CSF's strength is that it travels well across industries.
// 02 The six functions explained
CSF 2.0 is organised around six functions. CyberFortify maps offensive testing evidence into all of them, but the highest-value mappings are usually PR / DE / RS - the functions a pen test most directly validates.
Govern
Establish, communicate and monitor cybersecurity strategy, expectations and policy. Includes roles & responsibilities, supply-chain risk, oversight. Pen testing supports GV by producing the evidence governance committees rely on.
Identify
Asset management, risk assessment, supply-chain inventory. Pen test reconnaissance phase produces unsanctioned-asset evidence (subdomain takeover candidates, forgotten staging environments) directly mappable to ID.AM-2.
Protect
Access control, awareness, data security, platform security, technology infrastructure resilience. Every CyberFortify finding maps primarily into PR - this is where preventive controls are tested.
Detect
Continuous monitoring, anomaly & event analysis. CyberFortify's red team service is the highest-fidelity DE evidence source - it tests whether your monitoring actually triggers under realistic adversary tradecraft.
Respond
Incident management, analysis, mitigation, reporting. Purple-team engagements explicitly exercise RS function activities and produce structured evidence on response time, runbook quality and stakeholder communication.
Recover
Incident recovery plan execution, communications. Tested through tabletop exercises and disaster-recovery drills, often paired with a red-team engagement.
// 03 How CyberFortify maps findings to CSF 2.0
Every CyberFortify web application pen test, network pen test and cloud pen test finding is mapped to a primary CSF 2.0 subcategory plus the relevant NIST 800-53 control reference. Here is how a representative finding looks.
Function
Primary CSF function (e.g., PR - Protect).
PR / DE / RSCategory
e.g., PR.AA - Identity Management, Authentication and Access Control.
23 categoriesSubcategory
e.g., PR.AA-03 - Users and processes are uniquely identified and authenticated.
108 subcategoriesNIST 800-53 reference
e.g., AC-2, IA-2 - the underlying control catalogue federal teams reference directly.
Control catalogueImplementation tier
1 (Partial) - 4 (Adaptive). Recommended target tier per finding category.
Tier 1-4// 04 Why CSF 2.0 matters in 2026
CSF 2.0 is now the lingua franca of executive-level cybersecurity reporting. Boards and audit committees ask questions in CSF terms ("What is our PR.AC posture?") more often than in framework-specific terms. Pen testing reports that ship with native CSF mapping skip the translation step that historically slowed down board-level remediation discussions.
CSF 2.0 is outcome-based by design. A pen test is the most direct outcome-based evidence you can produce against the Protect and Detect functions - it shows what attackers actually achieve, not what controls are documented.
CyberFortify reporting practice// 05 Frequently asked questions
Is NIST CSF mandatory?
CSF itself is voluntary in most contexts. However, it is referenced by federal contracting frameworks (FedRAMP, CMMC), regulator guidance (SEC, NYDFS) and insurance underwriting questionnaires - making it operationally mandatory for many organisations.
How does CSF 2.0 differ from CSF 1.1?
The biggest change is the new sixth function, Govern. CSF 1.1 had five functions (ID/PR/DE/RS/RC). CSF 2.0 adds Govern as a top-level function recognising the central role of cybersecurity governance. Scope was also broadened beyond critical infrastructure to all organisations.
Do you also map to NIST 800-53?
Yes. Every CSF subcategory has informative-reference mappings to NIST 800-53 controls; CyberFortify reports include both. This is essential for federal customers and FedRAMP / CMMC environments.
How does CSF relate to ISO 27001?
CSF is outcome-based; ISO 27001 is a management-system standard with a certifiable conformance requirement. Many organisations run both: CSF for executive communication, ISO for the certification their enterprise customers demand.